One of the many skills that you must demonstrate as a CCENT candidate is your ability to configure basic password security on a Cisco router or switch. This blog post walks you through the configurations you must have mastered in order to succeed in this area of the exam.

While I will demonstrate the configurations required on a Cisco router, keep in mind that they are going to be identical on the model of switch you are presented with in the exam.

First, let us enter user mode on the router, and then enter global configuration mode to set our first password.

The first password we will set is the enable password. This is for backwards compatibility if you ever need to copy this configuration to a system that does not support password encryption. Since our router does support password encryption, note that you will never actually use this password on the device. Again, it is there for sheer backwards compatibility.

Router(config)# enable password S0ftBa11

Now that we have taken care of that, it is time to set the encrypted version of the enable password. It is the job of this password to protect Privileged mode on the device. Remember, Privileged mode allows us to make configuration changes to the device.

Router(config)# enable secret SanFr@n

What about protecting User mode, the mode that you enter from the console port before you enter Privileged mode? You can do this by setting a password on the Console Line. When setting a password on any of the lines on the router, you need to also use the login command. This command instructs the router or switch to check the locally configured password upon login.

Great. So pretty darn easy. Except there is one slight problem. The enable secret password does have a weak encryption used so that it is not readable to the naked eye when viewing the configuration, but all the other passwords above will not feature any encryption at all by default. Here is proof:

Which is stronger security? The MD5 hashing of the password done with the enable secret password, or the Cisco invention of password-encryption hashing? Well, you can see with your own eyes that it is the MD5 enable secret. Notice that it produces a longer string of characters, and even uses special characters in the hash.

You should also be aware of the fact that if you turn off this feature with the command no service password-encryption, you will not hash future passwords, but you will also not undo the hashing you have already done.

As always, thanks for reading, and enjoy your studies. If you have questions regarding this post, do not forget about our incredible forums at http://ieoc.com.

The above will protect you also from a Denial of Service attack where an attacker can attempt several simultaneous telnet connections to the router or switch, thus occupying all available VTY lines and prohibiting the legitimate administrators for managing the device.

Use of ‘enable password’ is very poor practice. “Backwards compatibility” means “backwards security” – if your device supports ‘enable secret’ then you should NOT add an additional, superfluous password that will never be used – except perhaps maliciously as a hint to the ‘secret’ password, or to confuse anyone who doesn’t know the difference between the two commands. The number of times I’ve seen people add the *same* password for both “just in case” (really: because they were trained to) is amazing…

Also, the strength of the MD5 hash has nothing to do with “special characters”, or even that it is longer that the Cisco hash. The reason the ‘secret’ is stronger is that it is not reversible, unlike the ‘password’ which is by design (e.g. for CHAP). The ‘secret’ is in Modular Crypt Format (http://leaf.dragonflybsd.org/cgi/web-man?command=crypt&section=3), where the ‘$’ symbols separate the type,salt and hash parts. The ‘$’ is not a part of the hash itself, which is only characters from “./0-9A-Za-z”. And incidentally, string length is a pretty poor method evaluation of a hash, as is “it looks more complex…”.

Thanks for contributing to our blog site. You remind me to go beyond the exam with these posts and give some real world as well. So often our focus is ensuring the students are equipped to pass the exam with ease that we forget to mention things like “we do not need the enable password today!”

I am also amazed at the number of times you have seen the same password used for the enable and enable secret since the router will not accept it. I presume you put SAME in asterisks because you did not truly mean the SAME.

Excellent clarification on why the MD5 is stronger than the encryption on the service password-encryption command. Thanks again.

I agree with the sentiment that Cisco should be going to great lengths to provide a clear MODEL for securing their network devices – and promoting this from the start!

A Security Model is an IT industry standard method for promoting the right way to go about securing something. Cisco only seems to get into a security model approach later on, in CCNP (perhaps even above).

The course notes should promote username/password, aaa and secret methods for securing devices, while explaining things like line passwords and the rare times the password may be required.

Common sense in any security field is to LOCK it all down as HARD as you can UNTIL IT STARTS COSTING YOU. Then you’ll need to determine if the additional lockdown is worth the additional effort and hassle (risk analysis).

There is a model for automating this, it’s called the “autosecure” feature. For admins that are not clear as to what the common vulnerabilities and services of IOS, this feature is very useful. However, there is no *mandatory* implementation of this, because there are many situations where it is key to selectively enable/disable features manually so there are no surprises in the operation of the device.

Caller route is a feature that allows segregation and routing of inbound calls to 0800 Numbers, 0845 Numbers or 0844 Numbers based on their origin. It works very similar to Time and Date routing that allows inbound calls to be routed to different destinations based on time and date. Caller route identifies different numbers or numbers from different regions and routes it to specific destinations as programmed by owner.

When you have your customers in two different countries say UK and US. You can create two different teams to server customers from each country. To facilitate this you need segregate all inbound calls from the two regions and route it to specific teams. This can be achieved easily with Caller route feature.

If you want to deal with your VIP customers or important clients directly instead of letting your staff because they are your key clients and you do not want anyone to spoil business with them in any way. You can use Caller Routes to specify the telephone numbers of VIP customers. Instantaneously all inbound calls from those numbers will reach you and balance calls from other numbers will be routed to your staff through Hunt Group or any other feature that you use.

Caller route is the best tool to segregate calls from important customers and handle their calls personally.

Leave a Reply

Currently you have JavaScript disabled. In order to post comments, please make sure JavaScript and Cookies are enabled, and reload the page.Click here for instructions on how to enable JavaScript in your browser.